U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:jenkins:script_security:1.11:*:*:*:*:jenkins:*:*
  • CPE Name Search: true
There are 27 matching records.
Displaying matches 21 through 27.
Vuln ID Summary CVSS Severity
CVE-2019-1003029

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

Published: March 08, 2019; 4:29:00 PM -0500 		V4.0:(not available)
 V3.1: 9.9 CRITICAL
V2.0: 6.5 MEDIUM
CVE-2019-1003024

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Published: February 20, 2019; 4:29:00 PM -0500 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2019-1003005

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Published: February 06, 2019; 11:29:00 AM -0500 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2019-1003000

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.

Published: January 22, 2019; 9:29:00 AM -0500 		V4.0:(not available)
 V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2018-1000865

A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed.

Published: December 10, 2018; 9:29:01 AM -0500 		V4.0:(not available)
 V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2017-1000505

In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval.

Published: January 25, 2018; 1:29:00 PM -0500 		V4.0:(not available)
 V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2016-3102

The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.

Published: February 09, 2017; 10:59:01 AM -0500 		V4.0:(not available)
 V3.0: 7.3 HIGH
V2.0: 7.5 HIGH